wo 2005/094037 



25 



PCT/SE2004/001735 



AMENDED CLAIMS 
[received by the International Bureau on 19 May 2005 (19.05.2005); 
original claims 39-40 is deleted, remaining claims imchanged (7 pages)] 

CLAIMS 

1 . A method of access control for a movable network managed by a mobile router, 
wherein said mobile router is interconnected through a bi-directional link with a 

5 mobility anchoring agent that anchors the network mobility for the mobile router, said 
method comprising the steps of: 

exercising access control at the mobility anchoring agent to filter 
downlink packets to said mobile router; and 

exercising access control at said mobile router to filter uplink packets to 
10 said mobility anchoring agent. 

2. The method of claim 1, wherein said mobility anchoring agent is a home agent 
in a home network of said mobile router. 

15 3. The method of claim 1, wherein said mobility anchoring agent is a local 
forwarding agent in a visited network. 

4. The method of claim 1, wherein said mobility anchoring agent runs a NEMO- 
based (Network Mobility) mobility support protocol with said mobile router. 

20 

5. The method of claim 4, wherein said mobile router is interconnected with said 
mobility anchoring agent through a NEMO bi-directional tunnel, and downlink 
packets are filtered before said NEMO bi-directional tunnel, and uplink packets are 
filtered before said NEMO bi-directional tunnel. 

25 

6. The method of claim 1, wherein said step of exercising access control at the 
mobility anchoring agent involves checking headers of IP packets that traverse an 
access control point in said mobility anchoring agent, and said step of exercising 
access control at said mobile router involves checldng headers of IP packets that 

30 traverse an access control point in said mobile router. 
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7. The method of claim 1, further comprising the step provisioning an access 
control module at said mobility anchoring agent and an access control module at said 
mobile router with provisioning information from an access control source. 

5 8. The method of claim 7, wherein said provisioning step comprises the steps of: 

transferring provisioning information for the access control modules in 
both said mobility anchoring agent and said mobile router from said access control 
source to said mobility anchoring agent; and 

subsequently forwarding provisioning information for the access control 
10 module in said mobile router from said mobility anchoring agent to said mobile router 
over the bi-directional link. 

9. The method of claim 8, wherein said provisioning information for the access 
control module in said mobile router includes provisioning information related only to 

15 the uplink from said mobile router to said mobility anchoring agent. 

10. The method of claim 9, wherein said uplink-related provisioning information 
includes access control filter information for filtering said uplink packets. 

20 11. The method of claim 7, wherein said access control source is implemented in an 
AAA client, and provisioning information related to a node in said movable network is 
transferred from an AAA server associated with the home network of said node to said 
AAA client and the access control source. 

25 12. The method of claim 11, wherein the provisioning information related to said 
node is transferred to said access control modules from said access control source only 
upon successful authentication of said node. 

13. The method of claim 11, wherein said AAA cHent is located in the same 
30 network as the mobility anchoring agent, and provisioning information from said AAA 
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client is transferred to the mobile router side at least partly over said bi-directional 
link. 

14. The method of claim 13, wherein said AAA client is a PANA (Protocol for 
5 carrying Authentication for Network Access) Authentication Agent. 

15. The method of claim 7, wherein said provisioning step includes transferring 
provisioning information with at least one of the following protocols: PANA (Protocol 
for carrying Authentication for Network Access), PPP (Point-to-Point Protocol) and 

10 IEEE 802. IX. 

16. An arrangement for access control for a movable network managed by a mobile 
router, wherein said mobile router is interconnected through a bi-directional link with 
a mobility anchoring agent that anchors the network mobility for the mobile router, 

15 said arrangement comprising: 

means for exercising access control at the mobility anchoring agent to 
filter downlink packets to said mobile router; and 

means for exercising access control at said mobile router to filter uplink 
packets to said mobility anchoring agent, 

20 

17. The arrangement of claim 16, wherein said mobility anchoring agent is a home 
agent in a home network of said mobile router. 

18. The arrangement of claim 16, wherein said mobility anchoring agent is a local 
25 forwarding agent in a visited network. 

19. The arrangement of claim 16, wherein said mobile router and said mobility 
anchoring agent are configured to run a NEMO-based (Network Mobility) mobility 
support protocol. 
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20. The arrangement of claim 19, wherein said mobile router is interconnected with 
said mobility anchoring agent through a NEMO bi-directional tunnel, and said access 
control exercising means at said mobility anchoring agent is operable for filtering said 
downlink packets before said NEMO bi-directional tunnel, and said access control 

5 exercising means at said mobile router is operable for filtering said uplink packets 
before said NEMO bi-directional tuimel. 

21. The arrangement of claim 16, wherein said means for exercising access control 
at the mobility anchoring agent is operable for checking headers of IP packets that 

10 traverse an access control point in said mobility anchoring agent, and said means for 
exercising access control at said mobile router is operable for checking headers of IP 
packets that traverse an access control point in said mobile router. 

22. The arrangement of claim 16, further comprising means for provisioning said 
15 access control exercising means at said mobility anchoring agent and said access 

control exercising means at said mobile router with provisioning information from an 
access control source. 

23. The arrangement of claim 22, wherein said provisioning means comprises: 

20 - means for transferring provisioning information for access control at 

both said mobility anchoring agent and said mobile router from said access control 
source to said mobility anchoring agent; and 

means for forwarding provisioning information for access control at said 
mobile router from said mobility anchoring agent to said mobile router over the bi- 

25 directional link. 

24. The arrangement of claim 23, wherein said provisioning information for access 
control at said mobile router includes information related only to the uplink from said 
mobile router to said mobility anchoring agent. 
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25. The arrangement of claim 24, wherein said uplink-related provisioning 
information includes access control filter information for filtering said uplink packets. 

26. The arrangement of claim 22, wherein said access control source is 
5 implemented in an AAA client, and said arrangement further comprises means for 

transferring provisioning information related to a given node in said movable network 
from an AAA server associated with the home network of said node to said AAA 
client. 

10 27. The arrangement of claim 26, wherein said provisioning means is operable for 
provisioning the provisioning information related to said node from said access control 
source only upon successful authentication of the node. 

28. The arrangement of claim 26, wherein said AAA client is located in the same 
15 network as the mobility anchoring agent, and said arrangement further comprises 

means for transferring provisioning information from said AAA client to the mobile 
router side at least partly over said bi-directional link. 

29. The arrangement of claim 26, wherein said AAA client is a PANA (Protocol for 
20 carrying Authentication for Network Access) Authentication Agent. 

30. The arrangement of claim 22, wherein said provisioning means is operable for 
transferring provisioning information with at least one of the following protocols: 
PANA (Protocol for carrying Authentication for Network Access), PPP (Point-to-Point 

25 Protocol) and IEEE 802. IX. 

31. A mobility anchoring agent for anchoring network mobility for a mobile router 
that manages a movable network, wherein said mobility anchoring agent comprises: 

means for interconnection with said mobile router through a bi- 
30 directional link; and 
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means for exercising access control to monitor and filter downlink 
packets to said mobile router. 

32. The mobility anchoring agent of claim 31, wherein said mobility anchoring 
5 agent is configured to run a NEMO-based (Network Mobility) mobility support 

protocol with said mobile router. 

33. The mobility anchoring agent of claim 31, wherein said mobility anchoring 
agent is configured for interconnection with said mobile router through a NEMO bi- 

10 directional tunnel, and said means for exercising access control is operable for filtering 
said downlink packets before said NEMO bi-directional tunnel. 

34. The mobility anchoring agent of claim 31, wherein said means for exercising 
access control is operable for checking headers of packets that traverse an access 

15 control point in said mobility anchoring agent. 

35. The mobility anchoring agent of claim 31, further comprising: 

means for receiving provisioning information for access control at both 
said mobility anchoring agent and said mobile router from an access control source; 
20 - means for forwarding provisioning information for access control at said 

mobile router to said mobile router. 

36. The mobility anchoring agent of claim 35, wherein said provisioning 
information for access control at said mobile router includes information related only 

25 to the uplink from said mobile router to said mobility anchoring agent. 

37. The mobility anchoring agent of claim 31, wherein said mobility anchoring 
agent is configured to operate as local home agent for a node in said movable network. 
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38. An access control enforcement module for operation with a mobility anchoring 
agent that anchors network mobility for a mobile router managing a movable network, 
said mobile router being interconnected through a bi-directional link with said 
mobility anchoring agent, wherein said access control enforcement module is operable 
5 for exercising access control to monitor and filter downlink packets to said mobile 
router. 
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